Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste Capturing Malware Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste
Nepenthes What is it ? low interaction honeypot simulates 22 vulnerabilities : MS windows Dameware MSSql IIS ... Listening on 26 ports Capture malwares that use those vuln to propagate C.Monniez - FCCU
Nepenthes Where to get it http://nepenthes.mwcollect.org Runs on Gnu/linux, OpenBSD, FreeBSD, Mac OSX, Cygwin Where to find it : Official Debian package (0.1.7-3) Unofficial Debian package (0.2.0-1) http://home.lucianobello.com.ar/nepe nthes/ Download and compile from the subversion repository : svn co https://svn.mwcollect.org/nepenthes/ trunk/ C.Monniez - FCCU
Nepenthes Useful features Does nothing else than waiting for malware by default Module architecture A module to synchronize malware repositories between two nepenthes sensors with https://beta.mwcollect.org/ to a database to a web server C.Monniez - FCCU
Nepenthes Useful features A norman sandbox module automatically send to norman sandbox report is received by mail maybe broken due to captcha ... a lot more module to explore pcap ... C.Monniez - FCCU
Nepenthes Useful features hexdumps of unknown attacks C.Monniez - FCCU
Nepenthes Where to place it ? In front of your internet connexion Examples On a gateway between your internal net and internet Side by side with your gateway if you can have another internet IP C.Monniez - FCCU
Nepenthes Where to place it ? In some sort of DMZ Example Forward the 26 ports from your internet GW to the sensor C.Monniez - FCCU
Nepenthes Where to place it ? In your office intranet !!! A good way to track malwares that are spreading in your internal network C.Monniez - FCCU
Nepenthes Where to place it ? At some ISP :-) C.Monniez - FCCU
Nepenthes Border filtering It seems that some ISP are doing border filtering in this case, you only capture malware coming from people at the same ISP C.Monniez - FCCU
Nepenthes Captured binaries Binary files are stored your disk the name of the binary is the md5 hash C.Monniez - FCCU
Nepenthes Log files nepenthes.log a very verbose log file of what nepenthes did logged_downloads filename and from where malware was downloaded logged_submissions filename, from where it was downloaded and md5hash C.Monniez - FCCU
Nepenthes Log files logged_downloads screenshot C.Monniez - FCCU
Nepenthes Log files logged_submissions screenshot C.Monniez - FCCU
Other tools Honeytrap Collect unknown attacks informations http://honeytrap.mwcollect.org/ honeyd Honeybow http://honeybow.mwcollect.org/ High interaction honeypots honeynet C.Monniez - FCCU
Other tools Bleeding snort On windows : Honeybot (mid interaction honeypot) http://www.atomicsoftwaresolutions.com/honeybot.p hp Multipot http://labs.idefense.com/software/malcode.php#more_multipot C.Monniez - FCCU
Online sanboxes Sunbelt sandbox Norman sandbox Anubis Threat expert http://research.sunbelt-software.com/Submit.aspx http://www.cwsandbox.org/ Norman sandbox http://www.norman.com/microsites/nsic/Submit/en-us Anubis http://analysis.seclab.tuwien.ac.at/index.php Threat expert http://www.threatexpert.com/submit.aspx C.Monniez - FCCU
Online sanboxes Virus Total http://www.virustotal.com/fr/ C.Monniez - FCCU
question time Questions ? C.Monniez - FCCU